GDPR Compliance for Ecommerce Sites

Overview

What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU law passed in 2016 meant to give citizens of the EU greater control over collection, storage and usage of their data. By the same token, it’s meant to give businesses a clearer legal framework to work with.

Why do I care about the GDPR?
On May 25th, 2018, non compliance with the law can result in fines and sanctions by the regulatory authorities (€ 2 million or 4% of revenue) in addition to damages suits brought by individuals whose data is handled in accordance with the law.

Does the GDPR apply to Me?
The GDPR applies to any organization that collects personal or behavior data on EU citizens. This broad definition means that any company that has EU customers or collects data on EU users is impacted by the law. In addition to (relatively) straightforward data collection such as customer account information, it’s important to note that you are also responsible for the compliance of third party or custom tracking and analytics software used on your site.
The GDPR has additional requirements of companies of over 250 employees. For the purposes of this post, we’ll focus on the fundamentals as they apply to small and medium businesses under 250 employees.

What do I do About it?
The key principles of the GDPR are broken down below into data collection and data storage as a starting point for ecommerce businesses to taking steps toward compliance. As with any legal matter, it’s important to consult a professional about how the GDPR applies to the specifics of your business operations.

Some Key Terms:

Before getting into the GDPR and related literature, note that the regulation distinguishes three parties within its framework:

The Data Controller: The business with which the Subject is directly interacting with and providing data to. Under the GDPR, the Controller is ultimately responsible for legal collection, storage, and sharing of the Subject’s data. If you operate an ecommerce site, this is you.

The Data Processor: Third party platforms and services which receive/process user data on behalf of the Controller. Ecommerce examples include Google, Shopify, or UPS.

Data Collection

A wide range of data all fall under the GDPR rules for consent and protection of data. Any personal or behavioral information falls under the new regulations which means that in addition to personal information such as bank accounts and addresses, IPs, MAC addresses (device identifiers), photos and social media posts will also be subject to the GDPR rules.

Before getting too overwhelmed by GDPR’s data requirements, it’s important to note that a concept called “Legitimate Interest” allows the Controller (e.g. website) to collect information that is vital to providing the services that the Subject (read: customer) has voluntarily agreed to. For example, collecting name, address and credit card number is necessary to verify the Subject’s identity and process a secure payment which the user has voluntarily entered into contract for. Legitimate interest is a separate justification from the “consent” outlined below. In short, you don’t need to overturn your core operations.Get Clear, Informed Consent
A fundamental principle in GDPR-compliant data collection is clear consent. Users must know how and why you are collecting each piece of information, and actively “opt in” to provide it. The example that virtually everyone in ecommerce will understand is the checkbox opt-in to marketing mail lists. Under the GDPR, a user must be have a clear understanding of exactly what the website will be using the email for. Crucially, the user must actively opt in. A pre-ticked checkbox or consent that’s hidden behind a link won’t fly as stated in Article 4.11, “…Silence, pre-ticked boxes or inactivity should therefore not constitute consent.”

Pre-ticked and unclear opt-ins – Not an option after May 25th

Furthermore, consent cannot be “bundled,” meaning the user must have the opportunity to opt out of specific aspects of data usage and not be faced with an all or nothing decision. An all or nothing consent tickbox is not acceptable.

Good Opt-in, but “Bundled:” Below is a good example of providing users with a clear choice about whether to opt in and what they’re opting in to . However, bundling different marketing channels (SMS, phone, and the vague “other electronic means”) is against GDPR regulations

If you share your data with third parties for the purposes of analytics, marketing, or business operations, be transparent about who they are and why you are sending user data to them.

Cookies
The EU already has cookie laws, but if you’re located outside the EU and are just beginning to familiarize yourself, be aware that cookies fall under the GDPR as well as existing laws.

Collect Limited Data:
In accordance with the GDPR’s “Privacy by Design” which calls controllers to hold and process only the data that is necessary for the completion of its duties, if you don’t use information that you’re collecting, stop asking users to give it to you. For example, a lot of web forms will include a “Company” field that isn’t actually used for business or marketing purposes. In reality this is a UX design best practice regardless, so reviewing your forms to eliminate unnecessary fields could be a win-win in terms for GDPR compliance and conversion rates.

Note: The GDPR contains a requirement that some companies appoint a Data Protection Officer to ensure compliance and act as a contact for authorities and data subjects. However, according to the GDPR website, this requirement only applies to “ controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.” Most ecommerce companies won’t fall into this category.

Data Storage

Secure Storage:
The GDPR aims to ensure that all EU citizen’s personal data is not only voluntarily given, but also stored securely. One of the most thorny rules in the cross-border world of ecommerce is the requirement that all data be stored on physical servers within the EU. See the Third Party Processors section below for cloud based hosted services, but websites with self-hosted websites and services should conduct an audit of information storage to ensure compliance with GDPR rules.

User Data: Make it Portable, Editable, and Erasable
GDPR requires that Data Subjects (users) can contact the Data Processors (website) and request that their personal information be:

Edited – User data be updated or changed at the request of the data subject.

Portable – User data can be provided to the subject upon request. The GDPR also includes language about transferring data from one company to another at the request of the subject, but no industry-wide protocols have been established yet.

Erasable – A user has the right to request that their personal data be deleted permanently. As a business operating under GDPR regulations, you’re required to provide a visible contact or mechanism for requesting and carrying out these requests.

Another key point is to make very clear to users that the above options are available. Users must be made aware of their rights to withdraw opt-ins and edit or delete. Note that it is your responsibility to pass these requests to third parties as well.

Third Party Data Processors

Most larger hosted solutions and analytics software companies should be taking their own steps to comply with GDPR. The most-used ecommerce and marketing platforms all have their own statements regarding their current or planned compliance with the GDPR as seen below. Be sure to research the specific services that you use and whether you need to take proactive steps in your configuration or application of each one. Be sure to contact them directly if you have unanswered questions.

Further Reading

It’s important for everyone to understand the GDPR in terms of both compliance and best practices for adapting without hurting your business and marketing efforts. The below suggested links include official documents and statements as well as some more in-depth looks at how businesses are complying in practice. Ultimately, GDPR compliance can be a significant positive trust factor, so be sure to let users know what you’re doing for to protect their privacy!